After 6 months of development presented release Samba 4.20.0which continued the development of the Samba 4 branch with a full implementation of a domain controller and Active Directory service, compatible with the Windows 2008 implementation and capable of serving all Microsoft-supported versions of Windows clients, including Windows 11. Samba 4 is a multifunctional server product that also provides a file server implementation , print service and identity server (winbind).
Key changes in Samba 4.20:
Advertisement
- By default, the build of the new utility “wspsearch” with the implementation of an experimental client for the WSP (Windows Search Protocol) protocol is enabled. The utility allows you to send search requests to a Windows server running the WSP service.
- The “smbcacls” command now supports writing access control lists
DACL to a file and restoring DACL from the file. Data is saved in a format supported by the Windows utility 'icacls.exe', which ensures portability of files with saved DACL (Discretionary Access Control List). - Extensions for centralized Active Directory access policies have been added to the “samba-tool” utility (Claims), authentication policies (Authentication Policies) and policy containers (Authentication Silos). Samba-tool can now be used to bind user c statements (claims) for subsequent use in rules that determine the ability to access the authentication policy.
In addition, the samba-tool utility can now be used to create and manage authentication policies, as well as to create and manage policy containers. For example, using samba-tool you can determine where and where the user can connect from, if NTLM is allowed, and in which services the user can be authenticated.
- The Samba-based Active Directory domain controller has added support for Authentication Policies and Authentication Silos created through the samba-tool utility or imported from Microsoft AD configurations. The feature is only available on systems with an Active Directory functional level of at least 2012_R2 (“ad dc functional level = 2016” in smb.conf).
- Client-side support for managed accounts has been added to the samba-tool utility.
gMSA (Group Managed Service Account), which use automatically updated passwords. The password management commands provided in samba-tool, which previously could only be used with the local sam.ldb database, can now be applied to an external server with authenticated access using the “-H ldap://$DCNAME” option. Supported operations include: “samba-tool user getpassword” to read the current and past gMSA password; “samba-tool user get-kerberos-ticket” to write Kerberos TGT (Ticket Granting Ticket) to the local account cache. - Added support for conditional access control entries (Conditional ACE), allowing access to be allowed or blocked depending on additional conditions – if the conditional expression does not work, the ACE is ignored, otherwise it is applied as a regular ACE. Conditional checks can also be applied to attributes of a securable object, described by system resource attributes (Resource Attribute ACE).
- The ctdb cluster implementation has added the ability to provide the MS-SWN (Service Witness Protocol) service, with which clients can monitor their SMB connections to cluster nodes. For example, a client connected to node “A” can request node “B” to send a notification if node “A” is unreachable. To manage the service, a series of “net witness (list|client-move|share-move|force-unregister|force-response)” commands are proposed, allowing the cluster administrator to view registered clients and request that the connection be transferred to other cluster nodes.
- Configurations with MIT Kerberos5 running as an Active Directory domain controller now require at least MIT Krb5 version 1.21, which introduces additional protection against vulnerabilities CVE-2022-37967.
- When building with imported Heimdal Kerberos, the Perl JSON module is no longer required to be installed, instead the JSON::PP module built into Perl5 is used.
- The “samba-tool user getpassword” and “samba-tool user syncpasswords” commands used to determine and synchronize the password have changed the output when using the “;rounds=” parameter with the virtualCryptSHA256 and virtualCryptSHA512 attributes (for example, '–attributes=”virtualCryptSHA256 ;rounds=50000″').
Было: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Стало: virtualCryptSHA256;rounds=2561:{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF - The MS-WKST (Workstation Service Remote Protocol) implementation no longer supports displaying a list of connected users based on the contents of the /var/run/utmp file, which stores data about users currently working in the system. utmp support has been discontinued due to the format's susceptibility to the Year 2038 issue.
Thanks for reading: